A version of this article first appeared in the Daily Journal on May 22, 2018.

When you share your DNA with a private genealogy database, it’s not only potential relatives searching for matches. The Golden State Killer case shows that law enforcement—and others—may be searching your DNA too, without legal restraints against misuse. This raises privacy and civil liberties concerns that should alarm everyone, even if you think you have nothing to hide.

According to news reports, police identified Joseph DeAngelo, the alleged Golden State Killer, by uploading crime scene DNA under a false name to a crowd-sourced, privately run, genealogy database. Using a technique called “familial searching,” which identifies genetically similar DNA, investigators found a kinship match between the forensic DNA and DNA from DeAngelo’s distant relative. Investigators then surreptitiously collected “discarded” DNA from DeAngelo himself, ultimately matching that to the original forensic sample.

The Golden State Killer, a serial rapist and murderer, eluded police for years. DeAngelo's arrest seems to have solved this decades-old cold case. However, allowing police and private companies to use these techniques without legal constraints violates privacy and could link people to crimes they didn’t commit.

DNA has implicated the wrong person in the past. Court records indicate police originally—and mistakenly—suspected an Oregon man was the Golden State Killer based on similar DNA research. In 2014, familial DNA searching led police to suspect that a New Orleans resident had committed a years-earlier Idaho rape and murder. A second DNA test cleared his name. And in 2012, a California man named Lukis Anderson was implicated for murder after his DNA was found at the crime scene, despite a rock-solid alibi.

In cases like these, the person linked through DNA becomes a suspect for a time, facing the very-real indignity of living under a cloud of suspicion until and possibly after their names are cleared. In some cases, like Mr. Anderson’s, they may also spend months in jail.

Advances in DNA technology will likely make these false identifications more common. Increasingly, forensic samples come from “touch” DNA—miniscule samples of DNA deposited on physical surfaces that people have touched—rather than from a single source, such as blood or semen. Touch DNA is less reliable and harder to match both because it may not include enough DNA for meaningful interpretation and because it often contains DNA from multiple people—some of whom may have had no connection to the crime at all. A person’s DNA can remain on an item that has been handled by many others or can be transferred to an item that was never in their possession. For example, in Mr. Anderson’s case, paramedics likely transferred his DNA to the murder victim when they responded to the crime scene hours after dropping Anderson off at the hospital.

But genetic privacy concerns go far beyond criminal justice. Our DNA contains our entire genetic makeup. It can reveal where our ancestors came from, who we are related to, our physical characteristics, and whether we are likely to get a host of genetically determined diseases. Researchers have also theorized DNA may predict race, intelligence, criminality, sexual orientation, and even political ideology.

It’s hard to prevent DNA linked to us from ending up in private databases, because, as in the Golden State Killer case, a distant relative you don’t know may add their own DNA. Not only could this be used to identify you, it could be used to predict how you vote, whether you’re a credit risk, or even when you might die. If this genetic information falls into the wrong hands it could impact our lives in unimaginable ways.

Currently there are no clear legal protections against improper access to and misuse of this data, not just by law enforcement, but also by insurers, data brokers, or private investigators. Once a person submits DNA to a database—or their DNA is submitted without their knowledge—nothing besides company policy may protect it.

And even if you don’t choose to add your own DNA to a private database, a relative could, essentially, make that choice for you by adding their own. In 2012, researchers used genetic genealogy databases and publicly-available information to identify nearly 50 people from just three original anonymized samples.

In the excitement over the Golden State Killer, we shouldn’t lose sight of the urgent need for legal rules to govern access to private DNA. At a minimum, law enforcement should have to get a warrant to access this data. The ability to research family history and disease risk shouldn’t carry the risk that our data will be accessible to police or insurers and used in ways we never could have foreseen.

Related Updates

On June 28, California enacted the Consumer Privacy Act (A.B. 375), a well-intentioned but flawed new law that seeks to protect the data privacy of technology users and others by imposing new rules on companies that gather, use, and share personal data. There's a lot to like about the...

Last month, 360 cyber crime experts from 95 countries gathered in Strasbourg to attend the Octopus Conference. The event sounds like something from James Bond, and when you look at the attendee list—which includes senior figures from the United States Department of Justice, national police forces across the...

August has just begun, and that means the start of the summer recess for Congress. During that recess, most members of Congress—specifically members of the House of Representatives—will be coming home. And that means that you have the opportunity to meet and talk to them without traveling to Washington...

Two reporters recently identified eight AT&T locations in the United States—towering, multi-story buildings—where NSA surveillance occurs on the backbone of the Internet. Their article showed how the agency taps into cables, routers, and switches that handle vast quantities of Internet traffic around the world. Published by The Intercept, the...

Brett Kavanaugh’s nomination has sparked a great deal of discussion about his views on reproductive rights and executive authority. But the Supreme Court tackles a broad range of issues, including the present and future of digital rights and innovation. As Congress plays its crucial constitutional role in scrutinizing judicial nominees...

With Gmail’s new designrolled out to more and more users, many have had a chance to try out its new “Confidential Mode.” While many of its features sound promising, what “Confidential Mode” provides isn’t confidentiality. At best, the new mode might create expectations that it fails...

The Kelsey Smith Act Would Force Cell Providers to Turn Private User Data Over to Law Enforcement Tragedies often bring political proposals that would do more harm than help—undermining our right to secure communications, for example, or our right to gather online. It is in these moments we...

When government agencies refuse to let the members of the public watch what they’re doing, drones can be a crucial journalistic tool. But now, some members of Congress want to give the federal government the power to destroy private drones it deems to be an undefined “threat.” Even worse, they’re...

The Trump Administration’s “zero tolerance” program of criminally prosecuting all undocumented adult immigrants who cross the U.S.-Mexico border has had the disastrous result of separating as many as 3,000 children—many no older than toddlers—from their parents and family members. The federal government doesn’t appear to have kept track...

Free WiFi all across New York City? It might sound like a dream to many New Yorkers, until the public learned that it wasn’t “free” at all. LinkNYC, a communications network that is replacing public pay phones with WiFi kiosks across New York City, is paid for by advertising that...